@@ -7,273 +7,49 @@ module "launch_vpc" {
77 subnets_bit_length = . subnets_bit_length
88}
99
10- module "amis " {
11- source = " ../amis "
10+ module "launch_autoscale_into_vpc " {
11+ source = " ../autoscale "
1212
13- version_license = . gateway_version
14- }
15-
16- resource "aws_security_group" "permissive_sg" {
17- name_prefix = format (" %s_PermissiveSecurityGroup" . asg_name )
18- description = " Permissive security group"
1913 vpc_id = . launch_vpc . vpc_id
20-
21- dynamic "ingress" {
22- for_each = for rule in var . security_rules : rule if rule . direction == " ingress"
23- content {
24- from_port = . value . from_port
25- to_port = . value . to_port
26- protocol = . value . protocol
27- cidr_blocks = . value . cidr_blocks
28- }
29- }
30-
31- dynamic ingress {
32- for_each = length ([for rule in var . security_rules : rule if rule . direction == " ingress" == 0 ? [1 ] : []
33- content {
34- from_port = 0
35- to_port = 0
36- protocol = " -1"
37- cidr_blocks = " 0.0.0.0/0"
38- }
39- }
14+ subnet_ids = . launch_vpc . public_subnets_ids_list
4015
41- dynamic "egress" {
42- for_each = for rule in var . security_rules : rule if rule . direction == " egress"
43- content {
44- from_port = . value . from_port
45- to_port = . value . to_port
46- protocol = . value . protocol
47- cidr_blocks = . value . cidr_blocks
48- }
49- }
50-
51- dynamic egress {
52- for_each = length ([for rule in var . security_rules : rule if rule . direction == " egress" == 0 ? [1 ] : []
53- content {
54- from_port = 0
55- to_port = 0
56- protocol = " -1"
57- cidr_blocks = " 0.0.0.0/0"
58- }
59- }
60- tags =
61- Name = format (" %s_PermissiveSecurityGroup" . asg_name )
62- }
63- }
64-
65- resource "aws_launch_template" "asg_launch_template" {
66- name_prefix = . asg_name
67- image_id = . amis . ami_id
68- instance_type = . gateway_instance_type
16+ // --- General Settings ---
17+ prefix = . prefix
18+ asg_name = . asg_name
19+ gateway_name = . gateway_name
20+ gateway_instance_type = . gateway_instance_type
6921 key_name = . key_name
70- network_interfaces {
71- associate_public_ip_address = true
72- security_groups = aws_security_group . permissive_sg . id ]
73- }
74-
75- metadata_options {
76- http_tokens = . metadata_imdsv2_required ? " required" : " optional"
77- }
78-
79- iam_instance_profile {
80- name = . enable_cloudwatch ? aws_iam_instance_profile. instance_profile [0 ]. name : " "
81- }
82- monitoring {
83- enabled = true
84- }
85-
86- block_device_mappings {
87- device_name = " /dev/xvda"
88- ebs {
89- volume_type = " gp3"
90- volume_size = . volume_size
91- encrypted = . enable_volume_encryption
92- }
93- }
94- description = " Initial template version"
95-
96-
97- user_data = base64encode (templatefile (" ${ path . module } /asg_userdata.yaml"
98- // script's arguments
99- PasswordHash = local.gateway_password_hash_base64,
100- MaintenanceModePassword = local.maintenance_mode_password_hash_base64
101- EnableCloudWatch = var.enable_cloudwatch,
102- EnableInstanceConnect = var.enable_instance_connect,
103- Shell = var.admin_shell,
104- SICKey = local.gateway_SICkey_base64,
105- AllowUploadDownload = var.allow_upload_download,
106- BootstrapScript = local.gateway_bootstrap_script64,
107- OsVersion = local.version_split
108- }))
109- }
110- resource "aws_autoscaling_group" "asg" {
111- name_prefix = . asg_name
112- launch_template {
113- id = . asg_launch_template . id
114- version = . asg_launch_template . latest_version
115- }
116- min_size = . minimum_group_size
117- max_size = . maximum_group_size
118- load_balancers = . proxy_elb . * . name
119- target_group_arns = . target_groups
120- vpc_zone_identifier = . launch_vpc . public_subnets_ids_list
121- health_check_grace_period = 3600
122- health_check_type = " ELB"
123-
124- tag {
125- key = " Name"
126- value = format (" %s%s" . prefix != " " ? format (" %s-" . prefix ) : " " . gateway_name )
127- propagate_at_launch = true
128- }
129-
130- tag {
131- key = " x-chkp-tags"
132- value = format (" management=%s:template=%s:ip-address=%s" . management_server , var. configuration_template , var. gateways_provision_address_type )
133- propagate_at_launch = true
134- }
135-
136- dynamic "tag" {
137- for_each = . instances_tags
138- content {
139- key = . key
140- value = . value
141- propagate_at_launch = true
142- }
143- }
144- }
145-
146- data "aws_iam_policy_document" "assume_role_policy_document" {
147- version = " 2012-10-17"
148- statement {
149- actions = " sts:AssumeRole"
150- principals {
151- type = " Service"
152- identifiers = " ec2.amazonaws.com"
153- }
154- effect = " Allow"
155- }
156- }
157-
158- resource "aws_iam_role" "role" {
159- count = . create_iam_role
160- name_prefix = format (" %s-iam_role" . asg_name )
161- assume_role_policy = . aws_iam_policy_document . assume_role_policy_document . json
162- path = " /"
163- }
164- module "attach_cloudwatch_policy" {
165- source = " ../cloudwatch_policy"
166- count = . create_iam_role
167- role = . role [count . index ]. name
168- tag_name = . asg_name
169- }
170-
171- resource "aws_iam_instance_profile" "instance_profile" {
172- count = . create_iam_role
173- name_prefix = format (" %s-iam_instance_profile" . asg_name )
174- path = " /"
175- role = . role [count . index ]. name
176- }
177-
178- // Proxy ELB
179- locals {
180- proxy_elb_condition = . proxy_elb_type != " none" ? 1 : 0
181- }
182- resource "random_id" "proxy_elb_uuid" {
183- byte_length = 5
184- }
185- resource "aws_elb" "proxy_elb" {
186- count = . proxy_elb_condition
187- name = format (" %s-proxy-elb-%s" . prefix , random_id. proxy_elb_uuid . hex )
188- internal = . proxy_elb_type == " internal"
189- cross_zone_load_balancing = true
190- listener {
191- instance_port = . proxy_elb_port
192- instance_protocol = " TCP"
193- lb_port = . proxy_elb_port
194- lb_protocol = " TCP"
195- }
196- health_check {
197- target = format (" TCP:%s" . proxy_elb_port )
198- healthy_threshold = 3
199- unhealthy_threshold = 5
200- interval = 30
201- timeout = 5
202- }
203- subnets = . launch_vpc . public_subnets_ids_list
204- security_groups = aws_security_group . elb_security_group [count . index ]. id ]
205- }
206- resource "aws_load_balancer_policy" "proxy_elb_policy" {
207- count = . proxy_elb_condition
208- load_balancer_name = . proxy_elb [count . index ]. name
209- policy_name = " EnableProxyProtocol"
210- policy_type_name = " ProxyProtocolPolicyType"
211-
212- policy_attribute {
213- name = " ProxyProtocol"
214- value = " true"
215- }
216- }
217- resource "aws_security_group" "elb_security_group" {
218- count = . proxy_elb_condition
219- description = " ELB security group"
220- vpc_id = . launch_vpc . vpc_id
221- egress {
222- from_port = 0
223- to_port = 0
224- protocol = " -1"
225- cidr_blocks = " 0.0.0.0/0"
226- }
227- ingress {
228- protocol = " tcp"
229- cidr_blocks = var . proxy_elb_clients ]
230- from_port = . proxy_elb_port
231- to_port = . proxy_elb_port
232- }
233- }
234-
235- // Scaling metrics
236- resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" {
237- alarm_name = format (" %s_alarm_low" . asg . name )
238- metric_name = " CPUUtilization"
239- alarm_description = " Scale-down if CPU < 60% for 10 minutes"
240- namespace = " AWS/EC2"
241- statistic = " Average"
242- period = 300
243- evaluation_periods = 2
244- threshold = 60
245- alarm_actions = aws_autoscaling_policy . scale_down_policy . arn ]
246- dimensions =
247- AutoScalingGroupName = aws_autoscaling_group.asg.name
248- }
249- comparison_operator = " LessThanThreshold"
250- }
251- resource "aws_autoscaling_policy" "scale_down_policy" {
252- autoscaling_group_name = . asg . name
253- name = format (" %s_scale_down" . asg . name )
254- adjustment_type = " ChangeInCapacity"
255- cooldown = 300
256- scaling_adjustment = - 1
257- }
258- resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" {
259- alarm_name = format (" %s_alarm_high" . asg . name )
260- metric_name = " CPUUtilization"
261- alarm_description = " Scale-up if CPU > 80% for 10 minutes"
262- namespace = " AWS/EC2"
263- statistic = " Average"
264- period = 300
265- evaluation_periods = 2
266- threshold = 80
267- alarm_actions = aws_autoscaling_policy . scale_up_policy . arn ]
268- dimensions =
269- AutoScalingGroupName = aws_autoscaling_group.asg.name
270- }
271- comparison_operator = " GreaterThanThreshold"
272- }
273- resource "aws_autoscaling_policy" "scale_up_policy" {
274- autoscaling_group_name = . asg . name
275- name = format (" %s_scale_up" . asg . name )
276- adjustment_type = " ChangeInCapacity"
277- cooldown = 300
278- scaling_adjustment = 1
22+ enable_volume_encryption = . enable_volume_encryption
23+ volume_size = . volume_size
24+ enable_instance_connect = . enable_instance_connect
25+ metadata_imdsv2_required = . metadata_imdsv2_required
26+ instances_tags = . instances_tags
27+
28+ // --- Auto Scaling Configuration ---
29+ minimum_group_size = . minimum_group_size
30+ maximum_group_size = . maximum_group_size
31+ target_groups = . target_groups
32+
33+ // --- Check Point Settings ---
34+ gateway_version = . gateway_version
35+ gateway_password_hash = . gateway_password_hash
36+ gateway_maintenance_mode_password_hash = . gateway_maintenance_mode_password_hash
37+ gateway_SICKey = . gateway_SICKey
38+ allow_upload_download = . allow_upload_download
39+ enable_cloudwatch = . enable_cloudwatch
40+ gateway_bootstrap_script = . gateway_bootstrap_script
41+ admin_shell = . admin_shell
42+
43+ // --- Management Configuration ---
44+ management_server = . management_server
45+ configuration_template = . configuration_template
46+ gateways_provision_address_type = . gateways_provision_address_type
47+
48+ // --- Proxy ELB Configuration ---
49+ proxy_elb_type = . proxy_elb_type
50+ proxy_elb_port = . proxy_elb_port
51+ proxy_elb_clients = . proxy_elb_clients
52+
53+ // --- Security Rules ---
54+ security_rules = . security_rules
27955}
0 commit comments